HOWTO Mac OS X Server (10.4)

So, I had an afternoon to work on this, and I got a successful install. I was sad to find there was so little documentation from other people using Mac OS X Server, so I decided to write up what I did. This worked for me, and it'll probably work for you, but as always, YMMV.

Now, there may have been much simpler ways to accomplish this, and I'm sure it's a little rough around the edges, but it works, and I'm happy. Hopefully it'll help someone else.

Procedure

1. Get the software

2. Unpack the software

tar xvfj fail2ban-0.8.4.tar.bz2

3. Install the software

cd fail2ban-0.8.4
sudo python setup.py install

4. Fix an issue with Python 2.3

Apparently in OS X 10.4.x, Apple includes Python 2.3 by default. This causes a problem with the
fail2ban script (specifically something called asyncore[1]), so we need to make a modification to
/usr/share/fail2ban/server/asyncserver.py as root. (I use emacs, but feel
free to use what you like)

sudo emacs /usr/share/fail2ban/server/asyncserver.py

Change line 135 from this:

asyncore.loop(use_poll = True)

To this:

asyncore.loop(timeout=1, use_poll=hasattr(asyncore.select, 'poll'))

5. Make a spot for the log file

sudo touch /var/log/fail2ban.log

6. Edit the fail2ban configuration files

Here's where you need to tell the program what you want to do. You can read all about this on the fail2ban wiki [2]. I'm only focusing on using ssh & ipfw.

sudo emacs /etc/fail2ban/jail.conf

In the section marked [ssh-ipfw], you'll want to make it look like so:

Obviously, you'll want to replace your specific IP addresses in the dummy placeholders above. If you only have one IP address, you could have left the <localhost> tag in place (just make sure you've got <localhost> defined in /etc/fail2ban/action.d/ipfw.conf.)

(Note: I also added rule numbers 200 & 201 so that they'd be higher up in the IPFW food chain.)

Further enhancement

While the above actionban does block unwanted addresses from specific ports it suffers from defining all the banned address on a single rule number with a specific port. When the unban command is issued for the first blocked address it will remove the entire rule set with that number (in the above case rules 200 and 201) including any addresses that were banned after the first one. This is not desirable since any of the addresses added between the first ban and it's corresponding unban will now be allowed by the firewall and only logged as already banned by fail2ban (until their ban time is up or fail2ban is reloaded).

This will search and use the first available rule number starting at 150. When it is time to unban an address, only the one rule is removed thus preserving the other banned addresses.

Some attackers will cycle through the ports while using the same IP address. By changing to your-private-addy-here <port> to to any in the ipfw add rule the firewall will block all bad traffic on this server, not just a specific port. If you still need to specify your server's IP address just leave off the <port> so it blocks all the traffic.

(Note: This method works until the counter reaches 1000 at witch time wanted rules may be deleted. If you have a large number of banned addresses you may want to consider permanently banning some of them.